#IstioCon Secure your microservices with istio step by step JianFeng Ding, LuYao Zhong #IstioCon Agenda ● Istio identity ● mTLS in Isito ● Secure ingress traffic ● Authorize ingress traffic ● Authorize Enable Access Control to your services via Istio authorization policy Istio will Secure your microservices for you! #IstioCon Thank you!

Leveraging Istio for Creating API Tests Low Effort API Testing for Microservices | CONFIDENTIAL • What has changed? – Migration to microservices triggering need for extensive API tests • Problem: – Creating auto-generated from end-to-end tests – Significantly reduced time and cost for API testing for microservices architectures with Istio – Fewer failures higher up the test pyramid as a result of improved

all 3 zones ● REST APIs for client traffic ● gRPC for inter-service traffic ● Around 100+ microservices ● Majority of services written in Go #IstioCon Architecture Overview - Discovery and Routing ● Extendable to multi-region setup #IstioCon Approach #IstioCon Rollout - Istio setup and Microservices ● Split rollout in to phases ● Setup control plane and related tooling ● Sidecar injection Kubernetes Cluster-IP services deployed across clusters #IstioCon Rollout - Istio setup and Microservices ● Export metrics to central prometheus ● Outlier detection for better reliability ● Enable

few years to shape how software is built and deployed. To manage a fleet of containers running microservices, one needs robust cluster management capabilities that can handle scheduling, service discovery receive the IP address of the replacement container? This is an important consideration in a microservices architecture where you must dynamically manage service endpoints. While Docker allows networking containerized applications at scale, and making the most of Rancher’s capabilities o Launching Microservices Deployments on Kubernetes with Rancher: an additional quick walkthrough on using Kubernetes

Istio & Kubernetes • Istio & Kubernetes上的灰度发布 An open platform to connect, manage, and secure microservices. Istio项目 微服务角度看Istio: 治理形态的演变 Node 1 svc1 自身业务 SDK Sidecar 服务治理 Node 2 svc 2 自身业务 SDK without notice. Thank You. Istio & Kubernetes 在Google：Managed Istio Istio & Kubernetes 在Google：microservices become API Apigee API Management complements Istio with the robust features of Google Cloud's Cloud's Apigee API management platform, Apigee Edge, by extending API management natively into the microservices stack Istio & Kubernetes 在Google： Knative Knative Serving builds on Kubernetes and Istio to

holding back micro-service development? Hard to incrementally migrate from existing code to a microservices architecture Programming model runtimes have narrow language support and tightly controlled Any cloud or edge infrastructure HTTP API gRPC API Application code Any code or framework… Microservices written in Cloud + Edge Distributed tracing See and measure the message calls across components services Actors Encapsulate code and data in reusable actor objects as a common microservices design pattern Resource bindings and triggers Trigger code through events from a large

Works GoPay & Istio About ● A few hundred developers ● Multiple Kubernetes Clusters ● 250+ microservices ● 150M+ internal API calls ● 3000+ deployments every week ● REST as well as gRPC services container and VM. ● Over time, managing Envoy and Consul became a burden, as we have more than +250 microservices using Envoy and Consul for service discovery. Istio ● We were using Envoy before which made

September 24, 2022 Shanghai, China Cloud Native Application Networking Secure, Observe and manage microservices Outline ● Background ● Enterprise Service Mesh: Tetrate Service Bridge ● Tetrate OSS Projects aware network Cloud!=Cloud Native Bare metal VMs Kubernetes VMs ● Monolith was decoupled to Microservices ● External and internal traffic starts to look less and less different from the perspective

of multi-dimensional resources in clusters and workspaces Not supported Not supported Microservices Governance Grayscale release Blue-green deployment, grayscale release, traffic mirroring lines required to use Istio for implementing grayscale release Traffic governance Built-in microservices traffic topology maps available to support fine-grained traffic governance policies Manually

payments Mercari holds in escrow, and simple and affordable shipping options. 5 6 ● 200+ microservices (200+ namespaces) ● 100K RPS at peak on API Gateway ● 1 main production Google Kubernetes Engine HTTP/2 load-balancing from client-side to Envoy Adopting Istio ● We use gRPC heavily in our microservices ● But Kubernetes is pretty bad at load-balancing it ● So we solved it by using a client-side